## Bleichenbacher's CCA2 on RSA

### jshmendes

39 solved
March 15, 2016, 11:28 a.m.

Hello There, Is there an optimal choice for the first s ? I have tried random values (but I am sure there is a better choice) for a few hours, with no luck. Any hint ? Thanks

### anton

Staff
March 15, 2016, 6:47 p.m.

I started with the value s = ceiling(N / 3B) ( B being defined in the paper as 2^(8 * (k-2)) ). This is the same value as is recommended in Step 2.a of the paper.

### ryandiaz6

15 solved
July 14, 2016, 12:13 a.m.

I arrive at a valid solution but it is 14 hex characters, and a bunch of 0's padded on the right. They are not ASCII characters and this doesn't resemble a valid padded message. Any thoughts? I wouldn't think a valid solution would be found by accident.

### anton

Staff
July 14, 2016, 5:51 a.m.

That doesn't sound quite right, you can email us with the specifics if you like. Otherwise I'm not sure there's much I can recommend beside double checking you implemented the algorithm, as described in the paper, correctly

### ryandiaz6

15 solved
July 14, 2016, 10:59 p.m.

I rewrote basically the exact same algorithm on a python 2.7 machine and got the correct answer. The python 3 version seems to give an incorrect answer. In any case I got it, thanks.

### anton

Staff
July 15, 2016, 8:45 p.m.

It may have to do with the fact that python 2 will round down to the nearest integer when you divide two integers. Python 3 will actually give you back a float when you divide two integers (use // in 3 to get the behavior of / in 2). In any case, congrats on solving the problem!

### dottedmag2

41 solved
Dec. 8, 2020, 11:35 p.m.

Is it expected that the oracle returns 0 on the original ciphertext?

### rsgelhar

39 solved
April 16, 2022, 12:07 a.m.

The oracle should be returning a 1 on the given ciphertext, since I've confirmed by factorizing the modulus it's PCKS15 padded. Seems like either the example code from this does not work in python3 or the problem is busted now.

### rsgelhar

39 solved
April 17, 2022, 3:25 a.m.

For those who are trying to do this problem offline, I've written a function for Python3 that you can use instead. If the creators are bummed about me posting the private exponent, y'all can hmu and have me remove the post.

def is_padded(cnum):
#first we decode it on our end
d = 0x519ae77c3b9a12d4f94419fed92658e7ebb1bb6fe660ee234bb1d5e0d7f600441b69501ed308ef59c20fa55a4ef6613